Server data from the Official MCP Registry
Single MCP hub: discover, add, audit, and govern MCP servers across every AI client.
Single MCP hub: discover, add, audit, and govern MCP servers across every AI client.
CuratedMCP is a well-architected MCP hub/launcher with reasonable security practices. It properly isolates child servers, uses environment variables for credentials, and implements a local-first audit model. However, there are several moderate-severity concerns: overly broad environment variable passthrough to child processes that could leak unintended secrets, potential command injection via unvalidated subcommand arguments in guard mode, incomplete credential validation in the broker implementation, and missing input sanitization in the dashboard HTML template. The codebase demonstrates good intent (failure isolation, stderr piping) but needs hardening in credential handling and subprocess spawning. Supply chain analysis found 8 known vulnerabilities in dependencies (2 critical, 3 high severity). Package verification found 1 issue.
7 files analyzed · 17 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: CURATOR_API_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-oneprofile-dev-mcp-launcher": {
"env": {
"CURATOR_API_URL": "your-curator-api-url-here"
},
"args": [
"-y",
"curatedmcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
The CuratedMCP Agent. One CLI to discover, run, audit, and govern every MCP server your AI tools (Claude, Cursor, Windsurf, Copilot, Gemini) use.
# 10-second risk scan of your machine — no signup
npx curatedmcp audit
Plug it in once. Add servers anytime. Audit and govern them from one place.
| Command | What it does |
|---|---|
curatedmcp audit | Scan your MCP configs for risky servers (high/medium/low). Zero auth, instant value. |
curatedmcp (no args) | Run as an MCP hub server over stdio for Claude, Cursor, Windsurf, etc. |
curatedmcp add <slug> | Add a server from the CuratedMCP catalog to your stack. |
curatedmcp remove <slug> | Remove a server from your stack. |
curatedmcp list | Show your current stack. |
curatedmcp init | Print the config snippet to drop into your AI client. |
curatedmcp guard -- <cmd> | Run a server behind the local action firewall. |
curatedmcp login | Authenticate the agent to your CuratedMCP account. |
curatedmcp sync | Pull your team's registry config and push audit results. |
npx curatedmcp audit
Scans every MCP config file on your machine (Claude Desktop, Cursor, Windsurf, Claude Code, …), classifies each server against the CuratedMCP catalog, and flags:
No signup, no cloud, no data leaves your machine. Logged in? Add --sync to push the result to your dashboard.
If you use MCP servers across multiple AI clients, you've felt this pain: configure GitHub MCP in Claude Desktop, then re-do it in Cursor, then in Windsurf. New agent ships? Re-paste every config.
The agent fixes that. It's one MCP entry that fans out to every server you've added, in every AI client.
Claude Cursor Windsurf Copilot Gemini
\ \ | / /
┌──────────────────────────┐
│ curatedmcp │ ← one config in each agent
│ (the MCP hub) │
└────┬──────┬──────┬───────┘
│ │ │
GitHub Postgres Stripe ← `add`'d once, available everywhere
{
"mcpServers": {
"curatedmcp": {
"command": "npx",
"args": ["-y", "curatedmcp"]
}
}
}
| Client | Path |
|---|---|
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json (mac) / %APPDATA%\Claude\claude_desktop_config.json (win) |
| Cursor | ~/.cursor/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
| Claude Code | ~/.claude/mcp.json (or .claude/mcp.json per-project) |
npx curatedmcp add github # prompts for GITHUB_TOKEN
npx curatedmcp add postgres --env DATABASE_URL=postgres://...
npx curatedmcp list
Tools appear with a <slug>__ prefix:
github__create_issuepostgres__queryfilesystem__read_filenpx curatedmcp guard -- npx -y @modelcontextprotocol/server-github
Wraps an MCP server with a local policy engine that gates every tools/call against
~/.curatedmcp/guard-policy.json. Default policy allows read, prompts on write, blocks destructive.
npx curatedmcp guard --dashboard --port 7878 -- npx -y @some/server
# Then open http://localhost:7878 for the live action log
Once you have a CuratedMCP account, link the CLI to it:
npx curatedmcp login # paste a registry key from your dashboard
npx curatedmcp sync # pull team registry config + push audit results
npx curatedmcp sync --team acme-eng # pick a specific team if you're in more than one
Sync pulls the locked-down server list approved by your team and merges it into your local stack — so every developer's machine runs the same vetted set of servers.
~/.curatedmcp/stack.json — your stack, plain JSON, hand-editable, version-controllable:
{
"version": 1,
"entries": [
{
"slug": "github",
"name": "GitHub",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_TOKEN": "ghp_xxxxxxxxxxxx" },
"addedAt": "2026-05-01T10:14:00.000Z"
}
]
}
Set "disabled": true on an entry to skip it without removing it.
Other files (created on first use):
~/.curatedmcp/auth.json — login token (mode 0600)~/.curatedmcp/guard-policy.json — firewall policy~/.curatedmcp/launcher.json — anonymous client UUIDThe agent itself exposes discovery tools to your AI client, so you can ask:
"Find me an MCP server for Postgres." "What's the best Stripe MCP?" "Add the Postgres MCP server to my stack."
The agent uses search_servers, get_server_details, and add_to_stack to do all of that without you leaving the chat.
~/.curatedmcp/. No cloud sync unless you login.--no-telemetry or CURATOR_TELEMETRY=false.login and run --sync.The agent replaces three earlier packages, which are now deprecated:
| Old | New |
|---|---|
@curatedmcp/launcher | curatedmcp (no args) / curatedmcp add / curatedmcp list |
@curatedmcp/auditor (aka mcp-audit) | curatedmcp audit |
@curatedmcp/sentinel (aka sentinel) | curatedmcp guard |
A launcher bin alias is kept for back-compat.
MIT licensed.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.